[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [AVT] SSRC to DTLS-SRTP mapping

To: Colin Perkins <csp at csperkins.org>
Subject: Re: [AVT] SSRC to DTLS-SRTP mapping
From: Eric Rescorla <ekr at networkresonance.com>
Date: Thu, 21 Feb 2008 08:24:24 -0800
Cc: magnus.westerlund at ericsson.se, 'Roni Even' <roni.even at polycom.co.il>, 'Tom Taylor' <tom.taylor at rogers.com>, Dan Wing <dwing at cisco.com>, avt at ietf.org
Delivered-to: ietfarch-avt-web-archive at core3.amsl.com
Delivered-to: avt at core3.amsl.com
In-reply-to: <67A26C28-97A6-4B49-AC74-8C393CB37C18 at csperkins.org>
List-help: <mailto:avt-request@ietf.org?subject=help>
List-id: Audio/Video Transport Working Group <avt.ietf.org>
List-post: <mailto:avt@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
References: <20080217174831.DE0785081A at romeo.rtfm.com> <056d01c872c9$c3eab130$c4f0200a at cisco.com> <20080219151028.DE1DE5081A at romeo.rtfm.com> <06d701c8731b$eaaa4e00$c4f0200a at cisco.com> <0185D52C-7BDA-4C24-AA13-19BDDCF6322E at csperkins.org> <08df01c8734b$a1603f40$c4f0200a at cisco.com> <67A26C28-97A6-4B49-AC74-8C393CB37C18 at csperkins.org>
Sender: avt-bounces at ietf.org
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Thu, 21 Feb 2008 15:44:40 +0000,
Colin Perkins wrote:
> 
> On 19 Feb 2008, at 23:03, Dan Wing wrote:
> >> On 19 Feb 2008, at 17:21, Dan Wing wrote:
> >> ...
> >>> However, I am worried about an attack flooding a device and causing
> >>> the device to perform SHA1 operations, when it seems we could
> >>> communicate the SSRC in the DTLS exchange (handshake or separate
> >>> message), and/or use source address verification to help protect
> >>> devices from such an attack.
> >>>
> >>> If it's only me that has this concern, I will sit back down in my
> >>> chair.
> >>
> >> I see the concern, but I think this has to work in the general case,
> >> without signalling support (except the DTLS handshake). I have no
> >> problem with there being optimisations possible in those cases where
> >> the SSRC to host/port pair mapping can be signalled out of band
> >> though, since there will certainly be scenarios where that's  
> >> possible.
> >
> > Would dropping a DTLS packet on the floor if its source IP address and
> > port are different from the DTLS handshake be acceptable?
> 
> 
> Yes, I think so. Why do you think it might not be?

Dan, do you really mean "DTLS packet" or do you mean "SRTP Packet"?

Because I think the answer is different for DTLS is "yes" but
SRTP is "no"--again, unless I've badly misunderstood RTP,
which is totally possible.

-Ekr
_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
http://www.ietf.org/mailman/listinfo/avt

Follow-Ups:
- [AVT] unsubscribe
  - From: Bino George
- Re: [AVT] SSRC to DTLS-SRTP mapping
  - From: Dan Wing

References:
- [AVT] SSRC to DTLS-SRTP mapping
  - From: Eric Rescorla
- Re: [AVT] SSRC to DTLS-SRTP mapping
  - From: Dan Wing
- Re: [AVT] SSRC to DTLS-SRTP mapping
  - From: Eric Rescorla
- Re: [AVT] SSRC to DTLS-SRTP mapping
  - From: Dan Wing
- Re: [AVT] SSRC to DTLS-SRTP mapping
  - From: Colin Perkins
- Re: [AVT] SSRC to DTLS-SRTP mapping
  - From: Dan Wing
- Re: [AVT] SSRC to DTLS-SRTP mapping
  - From: Colin Perkins

Prev by Date: Re: [AVT] SSRC to DTLS-SRTP mapping
Next by Date: Re: [AVT] SSRC to DTLS-SRTP mapping
Previous by thread: Re: [AVT] SSRC to DTLS-SRTP mapping
Next by thread: Re: [AVT] SSRC to DTLS-SRTP mapping
Index(es):
- Date
- Thread